Main Vulnerability Database Vulnerabilities #VU50955

#VU50955 DNS rebinding in Node.js - CVE-2021-22884

Published: February 25, 2021

Vulnerability identifier: #VU50955

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-22884

CWE-ID: CWE-350

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to perform DNS rebinding attack.

The vulnerability exists due to the application whitelist includes the “localhost6” name. When “localhost6” is not present in /etc/hosts, it is treated an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain.

Remediation

Install updates from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

#VU50955 DNS rebinding in Node.js - CVE-2021-22884

Description

Remediation

External links

Please verify you're human